CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Active Exploitation of Citrix NetScaler CVE-2025-6543 in Dutch Critical Sectors

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

The Dutch National Cyber Security Centre (NCSC-NL) has confirmed active exploitation of the critical Citrix NetScaler CVE-2025-6543 vulnerability in several critical organizations within the Netherlands. The flaw, which allows unintended control flow and denial-of-service (DoS), has been exploited since May 2025. Investigations are ongoing to determine the full extent of the impact. The exploitation involved the use of web shells for remote access, and attackers attempted to erase traces of their activities. Organizations are advised to apply the latest updates, terminate active sessions, and run a provided shell script to hunt for indicators of compromise.

Timeline

  1. 12.08.2025 11:36 1 articles · 1mo ago

    Active Exploitation of Citrix NetScaler CVE-2025-6543 Confirmed in Dutch Critical Sectors

    The Dutch NCSC-NL has confirmed active exploitation of CVE-2025-6543 in critical sectors within the Netherlands. The vulnerability has been exploited since May 2025, with web shells used for remote access. The exploitation was discovered on July 16, 2025. Organizations are advised to apply patches, terminate active sessions, and use a provided shell script to detect indicators of compromise.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

FreePBX Zero-Day Exploited in the Wild, Emergency Patch Released

A zero-day vulnerability in FreePBX (CVE-2025-57819) is actively exploited in the wild. The flaw allows unauthenticated access to the FreePBX Administrator, leading to arbitrary database manipulation and remote code execution. FreePBX versions 15, 16, and 17 are affected. The exploit has been used since at least August 21, 2025, targeting systems with inadequate IP filtering or access control lists (ACLs). Sangoma has released an emergency patch and indicators of compromise (IOCs) to help administrators detect exploitation. Users are advised to upgrade, restrict public access to the administrator control panel, and check for a known issue in the v17 'framework' module that may prevent automated update notification emails. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by September 19, 2025.

Open in new tab

Multiple vulnerabilities in Citrix and Git added to CISA KEV catalog

CISA has added multiple vulnerabilities to its KEV catalog due to active exploitation. The flaws affect Citrix Session Recording, Git, and Citrix NetScaler ADC and NetScaler Gateway. The Citrix Session Recording vulnerabilities were patched in November 2024, the Git flaw was addressed in July 2025, and the NetScaler vulnerabilities were patched in August 2025. Federal agencies must apply mitigations by September 15, 2025, for the earlier vulnerabilities and within 48 hours for the NetScaler vulnerabilities. The vulnerabilities are CVE-2024-8068, CVE-2024-8069, CVE-2025-48384, CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424. The first two affect Citrix Session Recording, the third affects Git, and the last three affect Citrix NetScaler ADC and NetScaler Gateway. CVE-2025-48384 is an arbitrary file write vulnerability in Git due to inconsistent handling of carriage return characters in configuration files. The vulnerability affects macOS and Linux systems, with Windows systems being immune due to differences in control character usage. The flaw was resolved in Git versions 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1. The vulnerability impacts software developers using Git on workstations and CI/CD build systems. CVE-2025-7775 is a memory overflow vulnerability leading to remote code execution and/or denial-of-service. CVE-2025-7776 is a memory overflow vulnerability leading to unpredictable behavior and denial-of-service. CVE-2025-8424 is an improper access control vulnerability in the NetScaler Management Interface. CVE-2025-7775 has been actively exploited in the wild and was added to the CISA KEV catalog on August 26, 2025, requiring federal agencies to remediate within 48 hours. The vulnerabilities affect both supported and unsupported, end-of-life versions of Citrix NetScaler ADC and NetScaler Gateway. Nearly 20% of NetScaler assets identified are on unsupported versions, primarily in North America and the APAC region. The vulnerabilities affect similar components in NetScaler ADC and NetScaler Gateway as the CitrixBleed and CitrixBleed2 vulnerabilities.

Open in new tab

N-able N-central vulnerabilities exploited in the wild

Over 800 N-able N-central servers remain unpatched against two critical security flaws, CVE-2025-8875 and CVE-2025-8876, which have been actively exploited in the wild. These vulnerabilities allow for command execution and command injection, respectively. The issues have been addressed in N-central versions 2025.3.1 and 2024.6 HF2, released on August 13, 2025. N-able has urged customers to enable multi-factor authentication (MFA) for admin accounts to mitigate potential risks. The exploitation of these vulnerabilities highlights the importance of timely patching and robust security measures in managing remote monitoring and management (RMM) systems. The active exploitation in the wild underscores the need for vigilance and proactive security practices among cybersecurity professionals. CISA has added the flaws to its Known Exploited Vulnerabilities Catalog and ordered federal agencies to patch their systems within one week.

Open in new tab

Erlang/OTP SSH RCE Exploits Targeting OT Firewalls

A surge in exploitation of CVE-2025-32433, a critical security flaw in Erlang/OTP SSH, has been observed since May 2025. Approximately 70% of these exploits target operational technology (OT) firewalls. This vulnerability, patched in April 2025, allows attackers to execute arbitrary code on vulnerable systems without authentication. The attacks have primarily affected healthcare, agriculture, media, entertainment, and high technology sectors in the U.S., Canada, Brazil, India, Australia, Japan, the Netherlands, Ireland, and France. The exploitation involves using reverse shells to gain unauthorized remote access to target networks. The specific threat actors behind these efforts remain unidentified. The flaw is due to improper state enforcement in the Erlang/OTP SSH daemon, allowing unauthenticated clients to execute commands by sending SSH connection protocol messages to open SSH ports. The flaw has been exploited to create TCP connections and bind them to a shell, allowing interactive command execution over the network. The flaw could have severe consequences on an organization, their network, and operations, including the compromise of sensitive information and disruption of operations.

Open in new tab